8366364: Address inconsistencies in SSLParameters object returned by SSLConfiguration#getSSLParameters() call

src/java.base/share/classes/sun/launcher/SecuritySettings.java

@@ -146,6 +146,16 @@ private static void printSecurityTLSConfig(boolean verbose) {
                     ostream.println(THREEINDENT + s);
                 }
             }
+
+            ostream.println("\n" + TWOINDENT + "Enabled Signature Schemes:");
+            String[] schemes = ssls.getSSLParameters().getSignatureSchemes();
+            if (schemes == null) {
+                ostream.println(THREEINDENT + "<none>");
+            } else {
+                for (String s : schemes) {
+                    ostream.println(THREEINDENT + s);
+                }
+            }
         }
 
         ostream.println();

src/java.base/share/classes/sun/security/ssl/NamedGroup.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -769,7 +769,9 @@ static final class SupportedGroups {
                     if (!group.isEmpty()) {
                         NamedGroup namedGroup = nameOf(group);
                         if (namedGroup != null) {
-                            if (namedGroup.isAvailable) {
+                            if (namedGroup.isAvailable
+                                    && namedGroup.isPermitted(
+                                    SSLAlgorithmConstraints.DEFAULT)) {
                                 groupList.add(namedGroup.name);
                             }
                         }   // ignore unknown groups
@@ -805,7 +807,8 @@ static final class SupportedGroups {
 
                 groupList = new ArrayList<>(groups.length);
                 for (NamedGroup group : groups) {
-                    if (group.isAvailable) {
+                    if (group.isAvailable && group.isPermitted(
+                            SSLAlgorithmConstraints.DEFAULT)) {
                         groupList.add(group.name);
                     }
                 }

src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java

@@ -38,6 +38,7 @@
 import javax.net.ssl.SSLSocket;
 import sun.security.ssl.SSLExtension.ClientExtensions;
 import sun.security.ssl.SSLExtension.ServerExtensions;
+import sun.security.ssl.SignatureScheme.SupportedSigSchemes;
 
 /**
  * SSL/(D)TLS configuration.
@@ -241,8 +242,12 @@ final class SSLConfiguration implements Cloneable {
         this.maximumPacketSize = 0;         // please reset it explicitly later
 
         this.signatureSchemes = isClientMode ?
-                CustomizedClientSignatureSchemes.signatureSchemes :
-                CustomizedServerSignatureSchemes.signatureSchemes;
+                CustomizedClientSignatureSchemes.signatureSchemes != null ?
+                        CustomizedClientSignatureSchemes.signatureSchemes :
+                        SupportedSigSchemes.DEFAULT :
+                CustomizedServerSignatureSchemes.signatureSchemes != null ?
+                        CustomizedServerSignatureSchemes.signatureSchemes :
+                        SupportedSigSchemes.DEFAULT;
         this.namedGroups = NamedGroup.SupportedGroups.namedGroups;
         this.maximumProtocolVersion = ProtocolVersion.NONE;
         for (ProtocolVersion pv : enabledProtocols) {
@@ -362,7 +367,9 @@ void setSSLParameters(SSLParameters params) {
             // Note if 'ss' is empty, then no signature schemes should be
             // specified over the connections.
             this.signatureSchemes = ss;
-        }   // Otherwise, use the default values
+        } else {    // Otherwise, use the default values.
+            this.signatureSchemes = SupportedSigSchemes.DEFAULT;
+        }
 
         String[] ngs = params.getNamedGroups();
         if (ngs != null) {
@@ -514,7 +521,8 @@ SSLExtension[] getEnabledExtensions(
     void toggleClientMode() {
         this.isClientMode ^= true;
 
-        // Reset the signature schemes, if it was configured with SSLParameters.
+        // Reset the signature schemes, if it was configured with a
+        // system property.
         if (Arrays.equals(signatureSchemes,
                 CustomizedClientSignatureSchemes.signatureSchemes) ||
             Arrays.equals(signatureSchemes,

src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

@@ -297,7 +297,7 @@ List<CipherSuite> getDefaultCipherSuites(boolean roleIsServer) {
      * Return whether a protocol list is the original default enabled
      * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
      */
-    boolean isDefaultProtocolVesions(List<ProtocolVersion> protocols) {
+    boolean isDefaultProtocolVersions(List<ProtocolVersion> protocols) {
         return (protocols == getServerDefaultProtocolVersions()) ||
                (protocols == getClientDefaultProtocolVersions());
     }

src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -195,7 +195,7 @@ public void setUseClientMode(boolean useClientMode) {
              * default ones.
              */
             if (sslConfig.isClientMode != useClientMode) {
-                if (sslContext.isDefaultProtocolVesions(
+                if (sslContext.isDefaultProtocolVersions(
                         sslConfig.enabledProtocols)) {
                     sslConfig.enabledProtocols =
                         sslContext.getDefaultProtocolVersions(!useClientMode);

src/java.base/share/classes/sun/security/ssl/SignatureScheme.java

@@ -34,10 +34,10 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import sun.security.ssl.NamedGroup.NamedGroupSpec;
 import sun.security.ssl.X509Authentication.X509Possession;
@@ -413,11 +413,18 @@ private static List<SignatureScheme> getSupportedAlgorithms(
             List<ProtocolVersion> activeProtocols,
             Set<SSLScope> scopes) {
         List<SignatureScheme> supported = new LinkedList<>();
+        List<SignatureScheme> schemesToCheck;
 
-        List<SignatureScheme> schemesToCheck =
-                config.signatureSchemes == null ?
-                    Arrays.asList(SignatureScheme.values()) :
-                    namesOfAvailable(config.signatureSchemes);
+        // No need to look up the names of the default signature schemes.
+        if (config.signatureSchemes == SupportedSigSchemes.DEFAULT
+                || config.signatureSchemes == null) {
+            schemesToCheck = Arrays.asList(SignatureScheme.values());
+        } else {
+            schemesToCheck = Arrays.stream(config.signatureSchemes)
+                    .map(SignatureScheme::nameOf)
+                    .filter(Objects::nonNull)
+                    .toList();
+        }
 
         for (SignatureScheme ss: schemesToCheck) {
             if (!ss.isAvailable) {
@@ -471,7 +478,8 @@ static List<SignatureScheme> getSupportedAlgorithms(
                             SignatureScheme.nameOf(ssid));
                 }
             } else if ((config.signatureSchemes == null
-                        || Utilities.contains(config.signatureSchemes, ss.name))
+                    || config.signatureSchemes == SupportedSigSchemes.DEFAULT
+                    || Utilities.contains(config.signatureSchemes, ss.name))
                     && ss.isAllowed(constraints, protocolVersion, scopes)) {
                 supported.add(ss);
             } else {
@@ -614,33 +622,6 @@ static String[] getAlgorithmNames(Collection<SignatureScheme> schemes) {
         return new String[0];
     }
 
-    private static List<SignatureScheme> namesOfAvailable(
-                String[] signatureSchemes) {
-
-        if (signatureSchemes == null || signatureSchemes.length == 0) {
-            return Collections.emptyList();
-        }
-
-        List<SignatureScheme> sss = new ArrayList<>(signatureSchemes.length);
-        for (String ss : signatureSchemes) {
-            SignatureScheme scheme = SignatureScheme.nameOf(ss);
-            if (scheme == null || !scheme.isAvailable) {
-                if (SSLLogger.isOn &&
-                        SSLLogger.isOn("ssl,handshake,verbose")) {
-                    SSLLogger.finest(
-                            "Ignore the signature algorithm (" + ss
-                          + "), unsupported or unavailable");
-                }
-
-                continue;
-            }
-
-            sss.add(scheme);
-        }
-
-        return sss;
-    }
-
     // This method is used to get the signature instance of this signature
     // scheme for the specific public key.  Unlike getSigner(), the exception
     // is bubbled up.  If the public key does not support this signature
@@ -686,4 +667,15 @@ private Signature getSigner(PrivateKey privateKey) {
 
         return null;
     }
+
+    // Default signature schemes for SSLConfiguration.
+    static final class SupportedSigSchemes {
+
+        static final String[] DEFAULT = Arrays.stream(
+                        SignatureScheme.values())
+                .filter(ss -> ss.isAvailable
+                        && ss.isPermitted(
+                        SSLAlgorithmConstraints.DEFAULT, null))
+                .map(ss -> ss.name).toArray(String[]::new);
+    }
 }

src/java.base/share/classes/sun/security/ssl/TransportContext.java

@@ -471,7 +471,7 @@ void setUseClientMode(boolean useClientMode) {
          * default ones.
          */
         if (sslConfig.isClientMode != useClientMode) {
-            if (sslContext.isDefaultProtocolVesions(
+            if (sslContext.isDefaultProtocolVersions(
                     sslConfig.enabledProtocols)) {
                 sslConfig.enabledProtocols =
                         sslContext.getDefaultProtocolVersions(!useClientMode);

test/jdk/sun/security/ssl/CipherSuite/DisabledCurve.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8246330
+ * @bug 8246330 8366364
  * @library /javax/net/ssl/templates /test/lib
  * @run main/othervm -Djdk.tls.namedGroups="secp384r1"
         DisabledCurve DISABLE_NONE PASS
@@ -35,7 +35,6 @@
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLException;
 
 import jdk.test.lib.security.SecurityUtils;
 
@@ -111,7 +110,7 @@ public static void main(String[] args) throws Exception {
                     throw new RuntimeException(
                             "Expected test to fail, but it passed");
                 }
-            } catch (SSLException | IllegalStateException ssle) {
+            } catch (NoClassDefFoundError | ExceptionInInitializerError ssle) {
                 if (expected.equals("FAIL") && disabled) {
                     System.out.println(
                             "Expected exception was thrown: TEST PASSED");

test/jdk/sun/security/ssl/CipherSuite/RestrictNamedGroup.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,9 @@
 
 /*
  * @test
- * @bug 8226374 8242929
- * @library /javax/net/ssl/templates
+ * @bug 8226374 8242929 8366364
+ * @library /test/lib
+ *          /javax/net/ssl/templates
  * @summary Restrict signature algorithms and named groups
  * @run main/othervm RestrictNamedGroup x25519
  * @run main/othervm RestrictNamedGroup X448
@@ -38,11 +39,13 @@
  * @run main/othervm RestrictNamedGroup ffdhe8192
  */
 
+import static jdk.test.lib.Asserts.assertTrue;
+import static jdk.test.lib.Utils.runAndCheckException;
+
 import java.security.Security;
 import java.util.Arrays;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLServerSocket;
-import javax.net.ssl.SSLException;
 
 public class RestrictNamedGroup extends SSLSocketTemplate {
 
@@ -88,19 +91,14 @@ protected void configureServerSocket(SSLServerSocket serverSocket) {
      * Run the test case.
      */
     public static void main(String[] args) throws Exception {
-        // Named group is set as per run argument with no change in it's alphabet
+        // Named group is set as per run argument with no change in its alphabet
         Security.setProperty("jdk.tls.disabledAlgorithms", args[0]);
         System.setProperty("jdk.tls.namedGroups", args[0]);
 
         for (index = 0; index < protocols.length; index++) {
-            try {
-                (new RestrictNamedGroup()).run();
-            } catch (SSLException | IllegalStateException ssle) {
-                // The named group should be restricted.
-                continue;
-            }
-
-            throw new Exception("The test case should be disabled");
+            runAndCheckException(() -> new RestrictNamedGroup().run(),
+                    ex -> assertTrue(ex instanceof NoClassDefFoundError
+                            || ex instanceof ExceptionInInitializerError));
         }
     }
 }

test/jdk/tools/launcher/Settings.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,7 @@
 
 /*
  * @test
- * @bug 6994753 7123582 8305950 8281658 8310201 8311653 8343804 8351354
+ * @bug 6994753 7123582 8305950 8281658 8310201 8311653 8343804 8351354 8366364
  * @summary tests -XshowSettings options
  * @modules jdk.compiler
  *          jdk.zipfs
@@ -84,6 +84,8 @@ static void checkNotContains(TestResult tr, String str) {
     private static final String TZDATA_SETTINGS = "tzdata version";
     private static final String ERR_MSG = "Unrecognized showSettings option:";
     private static final String ENABLED_GROUPS_SETTINGS = "Enabled Named Groups:";
+    private static final String ENABLED_SIG_SCHEMES_SETTINGS =
+            "Enabled Signature Schemes:";
 
     /*
      * "all" should print verbose settings
@@ -107,6 +109,7 @@ static void containsAllOptions(TestResult tr) {
             checkNotContains(tr, METRICS_NOT_AVAILABLE_MSG);
         }
         checkContains(tr, ENABLED_GROUPS_SETTINGS);
+        checkContains(tr, ENABLED_SIG_SCHEMES_SETTINGS);
     }
     /*
      * default (no options) should print non verbose
@@ -237,6 +240,7 @@ static void runTestOptionSecurityTLS() throws IOException {
         // test a well known TLS config for sanity
         checkContains(tr, "TLSv1.2");
         checkContains(tr, ENABLED_GROUPS_SETTINGS);
+        checkContains(tr, ENABLED_SIG_SCHEMES_SETTINGS);
     }
 
     // ensure error message is printed when unrecognized option used